On 06/12/15 07:55, Ruchir Arya wrote:
Hi Brane, i didnt get you. How can the server admin modify the content
if contents are signed? Let me give a scenario, suppose we implement
Public Key Infrastructure in SVN, where each client generates its
private key and public key and registers this public key with the server
so that anyone can access the public key to verify the contents.
Suppose algorithm works in this way.
1. Client computes hash of (contents concatenated with some revision
properties), then sign this hash with its private key and sends this
signed hash with the contents and revision properties.
2. So, now if server modifies any content, server dont know the private
key of client, so server cant generate valid signed hashed.
3. Hence i agree with, server can put some garbage data. But server wont
be able to do false accusation on some other clients. (Like in current
SVN, server can change the name of client in log files, and it can
accuse some other client for that particular commit.
4. But after implement PKI, server cant accuse another client. It just
can currupt data, which can be determined too at the time of
verification of signed hash using public key.
On the server you could create a new key and sign the modified revision
with this key. Then the verification won't fail. Keys could be signed to
prevent this.
The next question is: What can you do when you find out that somebody
changed a revision? The data may be lost forever. Except if you have a
copy of the whole repository.
- Martin
